research-article

Is this app safe?: a large scale study on application permissions and risk signals

Authors:

Yusuke Yamamoto,

N. AsokanAuthors Info & Claims

WWW '12: Proceedings of the 21st international conference on World Wide Web

Pages 311 - 320

https://doi.org/10.1145/2187836.2187879

Published: 16 April 2012 Publication History

Abstract

Third-party applications (apps) drive the attractiveness of web and mobile application platforms. Many of these platforms adopt a decentralized control strategy, relying on explicit user consent for granting permissions that the apps request. Users have to rely primarily on community ratings as the signals to identify the potentially harmful and inappropriate apps even though community ratings typically reflect opinions about perceived functionality or performance rather than about risks. With the arrival of HTML5 web apps, such user-consent permission systems will become more widespread. We study the effectiveness of user-consent permission systems through a large scale data collection of Facebook apps, Chrome extensions and Android apps. Our analysis confirms that the current forms of community ratings used in app markets today are not reliable indicators of privacy risks of an app. We find some evidence indicating attempts to mislead or entice users into granting permissions: free applications and applications with mature content request more permissions than is typical; 'look-alike' applications which have names similar to popular applications also request more permissions than is typical. We also find that across all three platforms popular applications request more permissions than average.

References

[1]

A. Acquisti and R. Gross. Imagined communities: Awareness, information sharing, and privacy on the facebook. In G. Danezis and P. Golle, editors, Privacy Enhancing Technologies, volume 4258 of Lecture Notes in Computer Science, pages 36--58. Springer, 2006.

Digital Library

[2]

Android Developer's Guide -- Manifest Permissions. http://developer.android.com/reference/android/Manifest.permission.html.

[3]

Android Market. https://market.android.com.

[4]

AppBrain. http://www.appbrain.com.

[5]

D. Barrera, W. Enck, and P. C. van Oorschot. Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems. Technical report, Carleton University, April 2011. TR-11-06.

[6]

D. Barrera, P. C. van Oorschot, and A. Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android Categories and Subject Descriptors. In Proc. of the 17th ACM conf. on Computer and Communications Security, CCS '10, pages 73--84. ACM, 2010.

Digital Library

[7]

J. Bonneau, J. Anderson, and L. Church. Privacy suites: shared privacy for social networks. In Proc. of the 5th Symposium on Usable Privacy and Security, SOUPS '09. ACM, 2009.

Digital Library

[8]

P. H. Chia, A. P. Heiner, and N. Asokan. Use of ratings from personalized communities for trustworthy application installation. In Proc. of the 15th Nordic conf. in Secure IT Systems, NordSec '10, 2010.

Digital Library

[9]

P. H. Chia and S. J. Knapskog. Re-evaluating the wisdom of crowds in assessing web security. In G. Danezis, editor, Financial Cryptography and Data Security, FC '11, volume 7035 of Lecture Notes in Computer Science, pages 299--314. Springer, 2012.

Digital Library

[10]

F. Cohen. Computational aspects of computer viruses. Computers & Security, 8(4):297--298, 1989.

Digital Library

[11]

F. J. Damerau. A technique for computer detection and correction of spelling errors. Communications of the ACM, 7:171--176, March 1964.

Digital Library

[12]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proc. of the 16th ACM conf. on Computer and Communications Security, CCS '09, pages 235--245. ACM, 2009.

Digital Library

[13]

Facebook Developers -- Permissions. https://developers.facebook.com/docs/reference/api/permissions/.

[14]

Facebook partners with WOT. Article on ArcticStartup website, May 2011. http://www.arcticstartup.com/2011/05/12/facebook-partners-with-wot-to-protect-its-700-million-users.

[15]

A. P. Felt. Personal Communication.

[16]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. of the 18th ACM conf. on Computer and Communications Security, CCS '11, pages 627--638. ACM, 2011.

Digital Library

[17]

A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proc. of the 2nd USENIX conf. on Web application development, WebApps '11. USENIX Association, 2011.

Digital Library

[18]

Google Chrome Extensions -- Permission Warnings. http://code.google.com/chrome/extensions/permission_warnings.html.

[19]

Google Chrome Web Store -- Extensions. https://chrome.google.com/webstore?category=ext.

[20]

J. King, A. Lampinen, and A. Smolen. Privacy: Is there an app for that? In Proc. of the 7th Symposium on Usable Privacy and Security, SOUPS '11, pages 12:1--12:20. ACM, 2011.

Digital Library

[21]

K. Kostiainen, E. Reshetova, J.-E. Ekberg, and N. Asokan. Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures. In Proc. of the 1st ACM conf. on Data and Application Security and Privacy, CODASPY '11, pages 13--24. ACM, 2011.

Digital Library

[22]

V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady, 10(8):707--710, 1966.

[23]

M. Marsall. How HTML5 will kill the native app. Article on VentureBeat website, April 2011. http://venturebeat.com/2011/04/07/how-html5-will-kill-the-native-app/.

[24]

T. Moore and B. Edelman. Measuring the perpetrators and funders of typosquatting. In R. Sion, editor, Financial Cryptography and Data Security, FC '10, volume 6052 of Lecture Notes in Computer Science, pages 175--191. Springer, 2010.

Digital Library

[25]

Our project site. http://aurora.q2s.ntnu.no/app.

[26]

Socialbakers -- Applications on Facebook. http://www.socialbakers.com/facebook-applications.

[27]

J. Tam, R. W. Reeder, and S. Schechter. I'm Allowing What? Disclosing the authority applications demand of users as a condition of installation. Technical report, Microsoft Research, 2010. MSR-TR-2010--54.

[28]

Watir -- Web Application Testing in Ruby. http://watir.com.

[29]

Web of Trust (WOT). http://www.mywot.com.

[30]

WhatApp? A Stanford Center for Internet and Society website. https://whatapp.org/.

[31]

D. M. Wilkinson. Strong regularities in online peer production. In Proc. of the 9th ACM conf. on Electronic commerce, EC '08, pages 302--309. ACM, 2008.

Digital Library

Cited By

Liao SCheng LLuo XSong ZCai HYao DHu HLuo BLiao XXu JKirda ELie D(2024)A First Look at Security and Privacy Risks in the RapidAPI EcosystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690294(1626-1640)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690294
Stegman JTrottier PHillier CKhan HMannan MCalandrino JTroncoso C(2023)"My privacy for their security"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620438(3583-3600)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620438
Nomoto KWatanabe TShioji EAkiyama MMori T(2023)Understanding the Inconsistencies in the Permissions Mechanism of Web BrowsersJournal of Information Processing10.2197/ipsjjip.31.62031(620-642)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.620
Show More Cited By

Index Terms

Is this app safe?: a large scale study on application permissions and risk signals
1. Human-centered computing
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Is this app safe for children?: a comparison study of maturity ratings on Android and iOS applications
WWW '13: Proceedings of the 22nd international conference on World Wide Web

There is a rising concern among parents who have experienced unreliable content maturity ratings for mobile applications (apps) that result in inappropriate risk exposure for their children and adolescents. In reality, there is no consistent maturity ...
FRAppE: detecting malicious facebook applications
CoNEXT '12: Proceedings of the 8th international conference on Emerging networking experiments and technologies

With 20 million installs a day, third-party apps are a major reason for the popularity and addictiveness of Facebook. Unfortunately, hackers have realized the potential of using apps for spreading malware and spam. The problem is already significant, as ...
Detecting malicious facebook applications

With 20 million installs a day [1], third-party apps are a major reason for the popularity and addictiveness of Facebook. Unfortunately, hackers have realized the potential of using apps for spreading malware and spam. The problem is already significant,...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '12: Proceedings of the 21st international conference on World Wide Web

April 2012

1078 pages

ISBN:9781450312295

DOI:10.1145/2187836

General Chairs:
Alain Mille
Université de Lyon, France
,
Fabien Gandon
INRIA, France
,
Jacques Misselis
HP, France
,
Program Chairs:
Michael Rabinovich
Case Western Reserve University, USA
,
Steffen Staab
University of Koblenz-Landau, Germany

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Univ. de Lyon: Universite de Lyon

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 April 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW 2012

Sponsor:

Univ. de Lyon

WWW 2012: 21st World Wide Web Conference 2012

April 16 - 20, 2012

Lyon, France

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

115
Total Citations
View Citations
2,242
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)4

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liao SCheng LLuo XSong ZCai HYao DHu HLuo BLiao XXu JKirda ELie D(2024)A First Look at Security and Privacy Risks in the RapidAPI EcosystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690294(1626-1640)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690294
Stegman JTrottier PHillier CKhan HMannan MCalandrino JTroncoso C(2023)"My privacy for their security"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620438(3583-3600)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620438
Nomoto KWatanabe TShioji EAkiyama MMori T(2023)Understanding the Inconsistencies in the Permissions Mechanism of Web BrowsersJournal of Information Processing10.2197/ipsjjip.31.62031(620-642)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.620
Gao CLi YQi SLiu YWang XZheng ZLiao Q(2023)Listening to Users' Voice: Automatic Summarization of Helpful App ReviewsIEEE Transactions on Reliability10.1109/TR.2022.321756672:4(1619-1631)Online publication date: Dec-2023
https://doi.org/10.1109/TR.2022.3217566
Kuk G(2023)Nudging digital entrepreneurs: the influence of the Google Play Store top developer award on technological innovationInternational Journal of Entrepreneurial Behavior & Research10.1108/IJEBR-08-2022-072929:9/10(2110-2134)Online publication date: 17-Oct-2023
https://doi.org/10.1108/IJEBR-08-2022-0729
Tam CBalau MOliveira T(2023)What Influences People’s Adoption of Cognitive Cybersecurity?International Journal of Human–Computer Interaction10.1080/10447318.2023.227941140:23(8295-8312)Online publication date: 12-Nov-2023
https://doi.org/10.1080/10447318.2023.2279411
Jean CLefrere V(2023)Use of Personal Data for Monetization Purposes: The Case of Mobile ApplicationsJournal of Economic Issues10.1080/00213624.2023.227312857:4(1095-1102)Online publication date: 14-Dec-2023
https://doi.org/10.1080/00213624.2023.2273128
Lavranou R(2023)Predicting Privacy Decisions in Mobile Applications and Raising Users’ Privacy AwarenessResearch Challenges in Information Science: Information Science and the Connected World10.1007/978-3-031-33080-3_48(651-660)Online publication date: 23-May-2023
https://doi.org/10.1007/978-3-031-33080-3_48
Wyss EWittman ADavidson DDe Carli LSuga YSakurai KDing XSako K(2022)Wolf at the DoorProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3523262(1139-1153)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3523262
Munyendo CAcar YAviv A(2022)“Desperate Times Call for Desperate Measures”: User Concerns with Mobile Loan Apps in Kenya2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833779(2304-2319)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833779
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten